Last week was, for most Americans, a four-day work week. But a lot still happened in the security world.
The U.S. government’s cybersecurity agencies warned of two critical vulnerabilities — one in Palo Alto’s networking tech and the other in F5’s gear — that foreign, nation state-backed hackers will “likely” exploit these flaws to get access to networks, steal data or spread malware. Plus, the FCC formally declared Chinese tech giants Huawei and ZTE as threats to national security.
Here’s more from the week.
THE BIG PICTURE
How police hacked a massive criminal phone network
Last week’s takedown of EncroChat was, according to police, the “biggest and most significant” law enforcement operation against organized criminals in the history of the U.K. EncroChat sold encrypted phones with custom software akin to how BlackBerry phones used to work; you needed one to talk to other device owners.
But the phone network was used almost exclusively by criminals, allowing their illicit activities to be kept secret and go unimpeded: drug deals, violent attacks, corruption — even murders.
That is, until French police hacked into the network, broke the encryption and uncovered millions of messages, according to Vice, which covered the takedown of the network. The circumstances of the case are unique; police have not taken down a network like this before.
But technical details of the case remain under wraps, likely until criminal trials begin, at which point attorneys for the alleged criminals are likely to rest much of their defense on the means — and legality — in which the hack was carried out.
Zoom misses its own transparency report deadline
After the video conferencing giant faced a stream of criticism for mishandling security bugs and misleading users into thinking their calls were end-to-end encrypted (they weren’t), Zoom laid out its plan for dealing with its issues — to its credit. The company brought on advisors, a new chief information security officer and actually rolled out end-to-end encryption — first for paying customers, but then to everyone after facing, you guessed it, even more criticism.
But Zoom fell short on its promise to publish a transparency report, which would have detailed the number of government demands for user data Zoom receives.
Zoom planned to post the report by June 30 after the company suspended the accounts of three non-Chinese users after commemorating the anniversary of the Tiananmen Square massacre, an event that’s cloaked in secrecy and censorship in mainland China, at the request of the Chinese government.
Zoom refused to tell TechCrunch why the report is delayed, only that it’ll land at some point later this year. But given Zoom’s massive spike in users since the pandemic began, industry watchers are keen to know just how willing the company’s CEO is “to work together with the FBI,” in his own words.
Don’t be fooled by Google’s latest privacy push
Tech giants have a knack for blowing “good” privacy changes out of proportion. No more so than Google, which last week announced a number of changes, written by the chief executive himself, ostensibly giving users more control over how long the search giant holds their data.
Really, the changes were piecemeal at most. Per Gizmodo’s analysis, they affect only a small fraction of the data that it holds on you and does little, if anything, to address the data it collects via Google’s ads business — its primary moneymaker — which is far, far more difficult to delete. Gizmodo explains more.
MOVERS AND SHAKERS
Troy Hunt might be best known for founding Have I Been Pwned, a data breach notification service that has, at the time of writing, close to 10 billion breached records in its massive database. The goal of the service is to help notify victims of a breach or security lapse that their information has been exposed.
Almost seven years in, Hunt spoke with TechCrunch about the service’s early days, how, as its sole proprietor, he made all of the ethical decisions behind loading some of the most sensitive breaches, and the exhausting year as he tried to sell the service — an effort that landed him back at square one after more than a year.
“We’ve lost control of our data as individuals,” he told TechCrunch, as he reflected on the past year. Not even Hunt is immune to data breaches. At close to 10 billion records, Hunt has been “pwned” more than 20 times, he said. Sometimes the first he learns that his own data has been compromised is when he loads it into Have I Been Pwned.
“It still surprises me the places that I turn up,” he told me. You can find the full interview on TechCrunch.
$ECURITY $TARTUPS
Randori, the security platform startup that helps red teams and other security researchers run offensive engagements, raised $20 million in its Series A round of funding, the company said. The round was led by Harmony Partners, with participation from existing investors. Randori said it’ll use the round to expand its platform and to double down on its engineering efforts to meet its growing customer demands.
And, digital asset startup Curv has raised $23 million, backed by CommerzVentures and Coinbase Ventures, among others. Curv offers keyless cryptography — the logic is that without private keys, there’s nothing to leak or get stolen.
Send tips securely over Signal and WhatsApp to +1 646-755-8849.